Logstash Lines: Java Event updates, 5.0 features

Welcome back to The Logstash Lines! In these weekly posts, we'll share the latest happenings in the world of Logstash and its ecosystem.

JSON Logging is back

Back in the day, Logstash used to emit its logs in JSON format. Because of endless encoding issues and crashes in logger framework, we had to roll it back. We've worked through most of these issues, so we're bringing structured logging back. For 5.0, you can tell LS to switch to JSON logging by using the --log-in-json CLI flag (#1569).

Java Event

The new Event APIs have been merged to master. This seems trivial, but it required a delicate dance of making sure existing plugins used the old API while at the same time updating plugins to use the new, unpublished core code. Plus, we had to untangle the dependency requirements between plugins. Our main goal was to minimize failures in CI and not to unnecessarily publish gems while all this was happening. What followed was a plugins update party. 80+ plugins (bundled in LS core) were updated with the new setter/getter APIs in about 3 days. Plugins tests are passing locally. We are now mass publishing these plugins so its compatible with 5.0.

Next up, is phase 2, where we update the remaining non-packaged plugins and then we call this project done

Release Packages Improvements

Work is in progress to make improvements to our release artifacts. Firstly, we are changing the directory layout of rpm, deb packages to match Elasticsearch packages. This will provide a consistent user experience across our stack. Next, we'll be using upstart and systemd to manage LS service. They have more advanced features than init.d, and make service scripts easier. While we're at it, we're creating a separate JVM options file — to centralize all the JVM flags — just like ES did (#5012).

Persistence

Investigating the use of Kryo library for serializing/deserializing Event objects into the disk backed queue. Initial work on rewriting the mmap based queues (which was once written in JRuby) in Java using the new ack-based design.

Dynamic Config Reload Bug

A user reported symptoms of “resource leak” while using the dynamic config reloading feature. After much tricky debugging and chasing, turns out the problem was in usage of ivars in Logstash. The JRuby team explained internal details of how ivar is implemented and how it can grow — in our usage pattern — to ultimately cause a slowdown. Another good example of collaboration between JRuby team and us. Fix is in progress on our side and a new release (2.3.3) will be cut soon.

RabbitMQ Enhancements

Update SSL option to be boolean once again; this had changed recently in the underlying RabbitMQ lib we use.